b'         OFFICE OF INSPECTOR GENERAL \n\n\n\n\n                                 Catalyst for Improving the Environment\n\n\nAudit Report\n\n\n\n\n       Information Security Series:\n       Security Practices\n\n       Integrated Compliance\n       Information System\n\n       Report No. 2006-P-00020   \n\n\n       March 29, 2006     \n\n\x0cReport Contributors:      Rudolph M. Brevard\n                          Charles Dade\n                          Neven Morcos\n                          Jefferson Gilkeson\n                          Scott Sammons\n\n\n\n\nAbbreviations\n\nASSERT       Automated Security Self-Evaluation and Remediation Tracking\nC&A          Certification and Accreditation\nEPA          U.S. Environmental Protection Agency\nFISMA        Federal Information Security Management Act\nICIS         Integrated Compliance Information System\nNCC          National Computer Center\nOECA         Office of Enforcement and Compliance Assurance\nOIG          Office of Inspector General\nOMB          Office of Management and Budget\nPOA&M        Plan of Action and Milestones\nRTP          Research Triangle Park\n\x0c                       U.S. Environmental Protection Agency                                             2006-P-00020\n\n                       Office of Inspector General                                                     March 29, 2006\n\n\n\n\n\n                       At a Glance\n                                                                        Catalyst for Improving the Environment\n\nWhy We Did This Review           Information Security Series: Security Practices\nAs part of our annual audit of\n                                 Integrated Compliance Information System\nthe Environmental Protection\nAgency\xe2\x80\x99s compliance with         What We Found\nthe Federal Information\nSecurity Management Act          The Office of Enforcement and Compliance Assurance (OECA) had implemented\n(FISMA), we reviewed the         practices to ensure that the (1) Integrated Compliance Information System (ICIS)\nsecurity practices for a         production servers were monitored for known vulnerabilities and (2) personnel with\nsample of key Agency             significant security responsibility completed the Agency\xe2\x80\x99s recommended specialized\ninformation systems,             security training. However, we found that OECA could improve its practices to\nincluding the Office of          ensure that key security documents are maintained. Additionally, ICIS, a major\nEnforcement and Compliance       application, was operating without a contingency plan or testing of the plan. OECA\nAssurance\xe2\x80\x99s (OECA\xe2\x80\x99s)             officials could have discovered the noted deficiencies had they implemented\nIntegrated Compliance            processes to ensure these Federal and Agency information security requirements\nInformation System (ICIS).       were followed. As a result, ICIS had security control weaknesses that could affect\n                                 OECA\xe2\x80\x99s operations, assets, and individuals.\nBackground\n                                 What We Recommend\nFISMA requires agencies to\ndevelop policies and             We recommend that the ICIS System Owner:\nprocedures commensurate\nwith the risk and magnitude      \xc2\xbe\t Conduct a review of processes used to maintain ICIS\xe2\x80\x99 key information security\nof harm resulting from the          documents and implement identified process improvements,\nmalicious or unintentional\ndamage to the Agency\xe2\x80\x99s           \xc2\xbe\t Conduct a test of the ICIS contingency plan, and\ninformation assets. ICIS\nprovides critical data and       \xc2\xbe\t Develop Plans of Action and Milestones (POA&Ms) in the Agency\xe2\x80\x99s security\nprocessing in support of the        weakness tracking system (ASSERT database) for all noted deficiencies.\nAgency\xe2\x80\x99s environmental law\nenforcement and compliance       We recommend that the OECA Information Security Officer:\nprogram.\n                                 \xc2\xbe\t Conduct a review of OECA\xe2\x80\x99s current information security oversight processes\n                                    and implement identified process improvements.\nFor further information,\ncontact our Office of            OECA agreed that ICIS needed a contingency plan and the office developed a plan.\nCongressional and Public         OECA did not agree that ICIS\xe2\x80\x99 security plan was not up-to-date, the office should\nLiaison at (202) 566-2391.\n                                 create a plan to review its information security practices, and POA&Ms are needed\nTo view the full report,         for the identified weaknesses. Our audit disclosed that key security documents were\nclick on the following link:     not updated to reflect the results of critical security activities and although OECA\nwww.epa.gov/oig/reports/2006     developed a contingency plan, the office has not tested it. As such, OECA should re\xc2\xad\n/20060329-2006-P-00020.pdf       evaluate its security oversight program to identify weaknesses and create POA&Ms\n                                 to track remediation of uncompleted tasks. OECA\xe2\x80\x99s response is at Appendix A.\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n\n                                                                                       OFFICE OF\n                                                                                  INSPECTOR GENERAL\n\n\n\n                                         March 29, 2006\n\nMEMORANDUM\n\nSUBJECT: \t            Information Security Series: Security Practices\n                      Integrated Compliance Information System\n                      Report No. 2006-P-00020\n\nFROM: \t               Rudolph M. Brevard /s/\n                      Director, Information Technology Audits\n\nTO:        \t          Granta Nakayama\n                      Assistant Administrator for Enforcement and Compliance Assurance\n\n\nThis is our final audit report on the information security controls audit of the Office of\nEnforcement and Compliance Assurance\xe2\x80\x99s Integrated Compliance Information System. This\naudit report contains findings that describe problems the Office of Inspector General (OIG) has\nidentified and corrective actions the OIG recommends. This audit report represents the opinion\nof the OIG, and the findings in this audit report do not necessarily represent the final\nEnvironmental Protection Agency (EPA) position. EPA managers, in accordance with\nestablished EPA audit resolution procedures, will make final determinations on matters in this\naudit report.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport within 90 calendar days of the date of this report. You should include a corrective action\nplan for agreed upon actions, including milestone dates. We have no objection to further release\nof this report to the public. For your convenience, this report will be available at\nhttp://www.epa.gov/oig.\n\nIf you or your staff has any questions regarding this report, please contact me at (202) 566-0893,\nor Charles Dade, Assignment Manager, at (202) 566-2575.\n\x0c                                       Table of Contents \n\nAt a Glance\n\nPurpose of Audit\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...                                                                                       1\n\nBackground\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                                                                                             1\n\nScope and Methodology .....................................................................................................              2\n\nICIS\xe2\x80\x99 Compliance with Federal and Agency Security Requirements .............................                                             3\n\n     Certification and Accreditation \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.. .............................................................                             3\n     Contingency Planning \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.                                                                                  4\n\nRecommendations...............................................................................................................           4\n\nAgency Comments and OIG Evaluation ............................................................................                          5\n\n\n\nAppendices\nA     Agency Response to Draft Report .............................................................................                      6    \n\n\nB     Distribution ...................................................................................................................   9\n\n\x0cPurpose of Audit\n          Our objective was to determine whether the Office of Enforcement and\n          Compliance Assurance\xe2\x80\x99s (OECA\xe2\x80\x99s) Integrated Compliance Information System\n          (ICIS) complied with Federal and Agency information security requirements.\n          ICIS provides critical data and processing in support of the Agency\xe2\x80\x99s\n          environmental law enforcement and compliance program.\n\nBackground\n          We conducted this audit pursuant to Title III of the E-Government Act of 2002,\n          commonly referred to as the Federal Information Security Management Act\n          (FISMA). FISMA requires the Agency to develop policies and procedures\n          commensurate with the risk and magnitude of harm resulting from the malicious\n          or unintentional damage to the Agency\xe2\x80\x99s information assets. EPA\xe2\x80\x99s Chief\n          Information Officer is responsible for establishing and overseeing an Agency-\n          wide program to ensure that the security of its network infrastructure is consistent\n          with these requirements. Program offices are responsible for managing the\n          implementation of these security requirements within their respective\n          organizations.\n\n          Program offices should create a Plan of Action and Milestones (POA&M) when it\n          identifies a security control weakness. The POA&M, which documents the\n          planned remediation process, is recorded in the Agency\xe2\x80\x99s Automated Security\n          Self-Evaluation and Remediation Tracking (ASSERT) tool. ASSERT is used to\n          centrally track remediation of weaknesses associated with information systems\n          and serves as the Agency\xe2\x80\x99s official record for POA&M activity.\n\n          FISMA requires the Inspector General, along with the EPA Administrator, to\n          report annually to the Office of Management and Budget (OMB) on the status of\n          EPA\xe2\x80\x99s information security program. The OIG provided the results of its review\n          to OMB in Report No. 2006-S-00001, Federal Information Security Management\n          Act, Fiscal Year 2005 Status of EPA\xe2\x80\x99s Computer Security Program.\n\n          During our annual FISMA review, we selected one major application each from\n          five EPA program offices and reviewed the office\xe2\x80\x99s security practices surrounding\n          these applications. Our overall review noted instances where EPA could improve\n          its security practices and the OIG reported the results to EPA\xe2\x80\x99s Chief Information\n          Officer in Report No. 2006-P-00002, EPA Could Improve Its Information Security\n          by Strengthening Verification and Validation Processes.\n\n          This audit report is one in a series of reports being issued to the five program\n          offices that had an application reviewed. This report addresses findings and\n          recommendations related to security practice weaknesses identified in OECA. In\n          particular, this report summarizes our results regarding how ICIS complies with\n          Federal and EPA information security policies and procedures. This report also\n\n                                            1\n\n\x0c         includes our evaluation of how OECA implemented, tested, and evaluated ICIS\xe2\x80\x99\n         information security controls to ensure continued compliance with reviewed\n         Federal and Agency requirements. The Scope and Methodology section contains\n         the specific information security controls audited during this review.\n\nScope and Methodology\n         We conducted our field work from March 2005 to July 2005 at EPA Headquarters\n         in Washington, DC, and the National Computer Center (NCC), Research Triangle\n         Park (RTP), North Carolina. We interviewed Agency officials at all locations and\n         contract employees at the NCC. We reviewed relevant Federal and Agency\n         information security standards. We reviewed application security documentation\n         to determine whether it complied with selected standards. We reviewed system\n         configuration settings and conducted vulnerability testing of servers for known\n         vulnerabilities. We reviewed training records for personnel with significant\n         security responsibilities.\n\n         We assessed the following security practices for ICIS:\n\n              x\t Security Certification and Accreditation (C&A) practices -- We\n                 reviewed ICIS\xe2\x80\x99 C&A package to determine whether the security plan\n                 was updated and re-approved at least every 3 years and the application\n                 was reauthorized at least every 3 years, as required by OMB Circular\n                 A-130 and EPA policy.\n\n              x\t Application contingency plans -- We reviewed ICIS\xe2\x80\x99 contingency\n                 planning practices to determine whether it complied with requirements\n                 outlined in EPA Directive 2195A1 (EPA Information Security Manual),\n                 National Institute of Standards and Technology Special Publication\n                 800-34 (Contingency Planning Guide for Information Technology\n                 Systems), and EPA Procedures Document (Procedures for Implementing\n                 Federal Information Technology Security Guidance and Best Practices).\n\n              x\t Security controls -- We reviewed two areas of security controls: (1)\n                 system vulnerability monitoring, which included conducting\n                 vulnerability testing; and (2) physical access controls. The NCC\n                 manages the servers that run ICIS and provides the primary security\n                 controls for the application. Therefore, when evaluating system\n                 vulnerability monitoring, we reviewed practices at the NCC. We did not\n                 test physical controls at the NCC, because the NCC was undergoing an\n                 audit of these controls at the time of our review and the audit found\n                 instances where EPA could improve its physical controls at RTP. We\n                 reported the results of this audit in Report No. 2006-P-00005, EPA\n                 Could Improve Physical Access and Service Continuity/ Contingency\n                 Controls for Financial and Mixed-Financial Systems Located at its\n                 Research Triangle Park Campus.\n\n                                         2\n\n\x0c               x\t Annual Training Requirements -- We reviewed whether employees\n                  with significant security responsibilities satisfied annual training\n                  requirements.\n\n          We conducted this audit in accordance with Government Auditing Standards,\n          issued by the Comptroller General of the United States.\n\nICIS\xe2\x80\x99 Compliance with Federal and Agency Security Requirements\n          We noted ICIS\xe2\x80\x99 production servers were being monitored for known\n          vulnerabilities and personnel with significant security responsibility had\n          completed the Agency\xe2\x80\x99s recommended specialized security training. However,\n          our audit highlighted areas where OECA should place more emphasis to comply\n          with established Federal and Agency requirements. In particular, ICIS had\n          weaknesses in the following areas:\n\n               x\t The practices for maintaining the security plan could be improved. The\n                  application security plan did not reflect ICIS\xe2\x80\x99 current operational status\n                  or document key security planning activities.\n\n               x\t The application lacked a contingency plan or testing of contingency\n                  response.\n\n          Ensuring effective practices for updating and maintaining the application security\n          plan is vital in helping management determine whether effective security controls\n          are implemented and operate as intended to operate an application. Developing\n          and testing the contingency plan assist management in evaluating whether the\n          organization can recover from a disruption in service and determine where more\n          emphasis is needed. These two important and widely recognized preventive\n          controls help to protect the Agency\xe2\x80\x99s network infrastructure and assist EPA\n          personnel to respond effectively to security incidents. By not emphasizing these\n          key security controls, OECA places the integrity, confidentiality, and availability\n          of ICIS information at risk.\n\n          Certification and Accreditation\n          Although we did not find significant deficiencies with the ICIS risk assessment\n          and authorization to operate, our audit revealed that OECA practices for\n          maintaining the security plan could be improved to ensure key security\n          information is updated and key security activities are recorded. Our review\n          determined that:\n\n               x\t The security plan OECA provided for review did not accurately reflect\n                  ICIS\xe2\x80\x99 current operational status. Although OECA officials indicated\n                  that they updated the security plan twice since ICIS\xe2\x80\x99 implementation in\n\n                                           3\n\n\x0c                 June 2002, the security plan OECA submitted for review indicated ICIS\n                 was under development.\n\n             x\t The security plan OECA provided for review did not reflect key security\n                planning activities. OECA officials indicated that the security plan was\n                updated in July 2004 and again in September 2004 because of a Risk\n                Assessment and Vulnerability Assessment, respectively. However,\n                these key security-planning activities were not recorded in the security\n                plan OECA officials submitted for review.\n\n        Ensuring that effective practices are in place to ensure the security plan is up-to\xc2\xad\n        date is essential. The security plan is a key document used by senior OECA\n        officials to decide whether ICIS\xe2\x80\x99 current security controls are sufficient and\n        whether adjustments to security controls are necessary before reaccrediting\n        (reauthorizing) ICIS for continued operation.\n\n        Contingency Planning\n        OECA should improve its contingency planning for ICIS. OECA had not\n        developed a plan for recovering or continuing operations of ICIS should a service\n        disruption occur. Contingency plans establish the necessary procedures for\n        continuing operations for critical systems and applications following disasters or\n        loss of infrastructure support. Testing the plan would enable OECA to become\n        familiar with the necessary recovery steps and help management identify where\n        additional emphasis is needed.\n\n        OECA officials indicated that the office had developed a contingency plan for\n        ICIS. OECA officials indicated that the contingency plan would be reviewed,\n        revised, and re-approved in fiscal 2006 due to the implementation of ICIS Phase\n        II. OECA officials indicated that they are investigating a more robust disaster\n        recovery process, scheduled to be completed by the end of fiscal 2006. In this\n        regard, OECA should record these key activities and milestones in the Agency\xe2\x80\x99s\n        security weakness system (ASSERT database) for tracking.\n\nRecommendations\n        We recommend that the Integrated Compliance Information System (ICIS)\n        System Owner:\n\n           1.\t Conduct a review of processes used to maintain ICIS\xe2\x80\x99 key information\n               security documents and implement identified process improvements.\n\n           2.\t Conduct a test of the ICIS contingency plan.\n\n           3.\t Develop a Plan of Action and Milestones in the Agency\xe2\x80\x99s security\n               weakness tracking system (ASSERT database) for all noted deficiencies.\n\n                                          4\n\n\x0c         We recommend that the Office of Enforcement and Compliance Assurance\xe2\x80\x99s\n         (OECA\xe2\x80\x99s) Information Security Officer:\n\n            4.\t Conduct a review of OECA\xe2\x80\x99s current information security oversight\n                processes and implement identified process improvements.\n\nAgency Comments and OIG Evaluation\n         OECA agreed with our finding that ICIS lacked a contingency plan and OECA\n         officials indicated that they took action to remediate the weakness. However,\n         OECA should put in place a strategy for testing the new contingency plan. OECA\n         did not agree that ICIS\xe2\x80\x99 security plan was not up-to-date and indicated that\n         subsequent to our audit field work the office updated the security plan, and we\n         modified the report to remove the recommendation for OECA to update the ICIS\n         security plan.\n\n         OECA asserts that it has adequate practices in place for maintaining the security\n         plan and overseeing the program office\xe2\x80\x99s security program. OECA indicated that\n         it reviews and recertifies all security plans for major applications every three\n         years, as well as when a significant change to the application has occurred and\n         annually tests and evaluates information security controls and techniques, tracks\n         the remediation of information security weaknesses identified, and reports the\n         status of information security. However, our audit revealed that despite these\n         efforts, OECA\xe2\x80\x99s oversight practices did not ensure the security plan was (1)\n         updated with ICIS\xe2\x80\x99 current operational status and (2) reflected the results of key\n         security activities. Additionally, OECA\xe2\x80\x99s practices did not ensure that ICIS, a\n         major application, had an effective contingency plan or strategy, although the\n         application had been in production for 3-years. Therefore, we feel OECA should\n         re-evaluate its information security oversight processes to identify opportunities\n         where information security could be strengthened.\n\n         OECA indicated that no further POA&Ms are needed to address the identified\n         weaknesses. OECA indicated it has plans for major contingency planning\n         activities for ICIS and the office is in the process of investigating and evaluating a\n         more robust disaster recovery process. OECA also has not completed a test of the\n         newly developed contingency plan. In this regard, OECA should record these key\n         activities and milestones in the Agency\xe2\x80\x99s security weakness database (1) for\n         tracking and (2) to keep the Agency\xe2\x80\x99s CIO informed about the mitigation of\n         security weaknesses for a key EPA major application. OECA\xe2\x80\x99s complete\n         response is at Appendix A.\n\n\n\n\n                                           5\n\n\x0c                                                                                   Appendix A\n\n                    Agency Response to Draft Report \n\n\n\n\nMarch 9, 2006\n\n\nMEMORANDUM\n\nSUBJECT:\t Response to Draft Report \xe2\x80\x9cEPA Could Improve Information Security Practices for\n          the Integrated Compliance Information System\xe2\x80\x9d\n\nFROM:\t         Granta Y. Nakayama /s/\n               Assistant Administrator\n\nTO:\t           Rudolph M. Brevard, Director\n               Information Technology Audits\n               Office of the Inspector General\n\n        On February 9, 2006, the Office of Enforcement and Compliance Assurance (OECA)\nreceived the Office of Inspector General (OIG) draft report memorandum titled, \xe2\x80\x9cEPA Could\nImprove Information Security Practices for the Integrated Compliance Information System\xe2\x80\x9d. In\nresponse to your draft report, provided below is additional information that more accurately\nreflects the state of our Information Security Practices as of the time of the writing of your\nreport. OECA appreciates the opportunity to respond to this draft report and hopes that you will\ntake into consideration the information provided when finalizing your report.\n\nResponse or Actions Taken to Address OIG Recommendations\n\n1.     Update the ICIS Security Plan.\n\n        OECA disagrees with your finding that the Integrated Compliance Information System\n(ICIS) Security Plan was not up to date at the time of your audit. ICIS currently has in place an\nupdated Security Plan. The original ICIS Security Plan was approved in April 2002, prior to the\nsystem going into operation. ICIS was implemented on June 22, 2002. In November 2002, a\nreview was conducted pursuant to the OMB A-130 requirement that security plans be reviewed\nsubsequent to a significant change in the application. The deployment from the development\nenvironment to the production environment was deemed by the Office of Compliance ISO to be\nsuch a significant change. The revised ICIS Security Plan was approved on November 27, 2002.\nIn December 2003, an ICIS Risk Assessment was performed to test the controls within the\nSecurity Plan. The Security Plan was updated in July 2004 to incorporate recommendations\nfrom the Risk Assessment. A Technical Vulnerability Assessment of ICIS was performed in\n\n                                                 6\n\n\x0cSeptember 2004. The plan was then again revised in April 2005 to incorporate recommendations\nfrom the Vulnerability Assessment. In July 2005 the plan was updated to meet new formatting\nrequirements from NIST 800-18. On July 28, 2005, the ICIS Security Plan was re-approved, and\nthe ICIS system was reauthorized to operate per requirements of OMB Circular A-130 and EPA\npolicy. As a result, OECA believes we have already completed work to comply with this\nrecommendation.\n\n2.      Develop and implement a process to periodically review and maintain the ICIS security\nplan in accordance with Federal and Agency requirements.\n\n        OECA currently has processes in place to periodically review and maintain the ICIS\nSecurity Plan. In accordance with OMB A-130 Appendix III, OECA reviews and recertifies all\nsecurity plans for major applications every three years, as well as when a significant change to\nthe application has occurred. It is for the latter reason that the security plan dated July 28, 2005,\nis now being revised, following NIST 800-53 guidelines in preparation for the deployment of\nICIS Phase II. The draft revised plan is in the review and comment process and will be approved\nprior to the implementation of the second phase of ICIS this fiscal year.\n\n        In addition, as required under the Federal Information Security Management Act of 2002\n(FISMA), OECA annually tests and evaluates information security controls and techniques,\ntracks the remediation of information security weaknesses identified, and reports the status of\ninformation security. The ASSERT (Automated Security Self-Evaluation & Remediation\nTracking) tool is used to automate this process. The combination of this annual process and\nregular review and re-approval of the Security Plan ensures that the ICIS Security Plan and\nprocedures are kept up-to-date as required by Federal and Agency requirements.\n\n3.     Develop and implement a contingency plan for ICIS.\n\n        OECA has developed and has in place a contingency plan for ICIS. That plan was\nreviewed based on Disaster Recovery Institute International (DRII) standards and was approved\nas of February 6, 2006. The ICIS Contingency Plan provides the following information: a\nbusiness impact analysis, which assesses the value of the ICIS information; emergency\nprocedures for limited, major, and catastrophic disruptions to ICIS; and recovery plans and\ntesting requirements.\n\n4.      Develop and implement a process to test and maintain the ICIS contingency plan. The\nprocess should ensure the plan is (1) tested at least annually and (2) updated whenever\nsignificant changes occur to the system, supported business processes, key personnel, or to the\ncontingency plan itself.\n\n        The contingency plan will be reviewed, revised and re-approved in FY2006 because of\nsignificant changes to the system resulting from the implementation of the ICIS Phase II system.\nICIS Phase II will replace the current ICIS system and will greatly expand the current data and\nfunctionality of the system. In addition, OECA is in the process of investigating and evaluating a\nmore robust disaster recovery process. This investigation includes reviewing the current\n\n                                                 7\n\n\x0capproach and considering more efficient alternatives for disaster recovery. These activities are\nscheduled to be complete by the end of FY2006. In FY2007, OECA\xe2\x80\x99s plan is to review and\nupdate the ICIS Contingency Plan to incorporate results from the disaster recovery investigation.\nNow that the Contingency Plan is in place, it is a part of OECA\xe2\x80\x99s annual testing and evaluation\nof information security controls and techniques where we track the remediation of information\nsecurity weaknesses identified, and report the information security status. As a result of our\nusing processes currently in place, OECA believes we already comply with this\nrecommendation.\n\n5.     Develop Plans or Action and Milestones in the Agency\xe2\x80\x99s security weakness tracking\nsystem (ASSERT database) for all noted deficiencies.\n\n        ICIS security weaknesses identified through the annual self-assessment result in Plans of\nAction and Milestones (POA&Ms) are being created and tracked through ASSERT. There are\ncurrently no open POA&Ms in ASSERT for ICIS. In addition, because all of the findings of this\nreport have been addressed per OECA\xe2\x80\x99s responses, no additional POA&Ms are required to be\ntracked.\n\n6.     Develop and implement a plan to re-evaluate system security oversight processes to\nensure the above recommendations are uniformly applied to all general support systems and\nmajor applications within OECA.\n\n         The OECA and Office of Compliance Information Security Officers (ISOs) currently\nhave procedures in place that ensure that they regularly review security checklists to make sure\nthat all government wide and Agency requirements are met in a timely manner. Given the\nadditional information provided in this response, we feel that current oversight processes are\nadequate to ensure that OECA systems remain in compliance with security policy.\n\n        If you need any additional information, please contact Betsy Smidinger, Deputy Director\nof the Enforcement Targeting and Data Division on OECA\xe2\x80\x99s Office of Compliance, at 202-564\xc2\xad\n4017 or at email address smidinger.betsy@epa.gov.\n\n\ncc: \tCatherine McCabe\n     Linda Travers\n     Michael Stahl\n     Carolyn Sanders\n     Gwendolyn Spriggs\n     Kathy Dockery\n\n\n\n\n                                                8\n\n\x0c                                                                             Appendix B\n\n                                   Distribution\n\nOffice of the Administrator\nAssistant Administrator for Enforcement and Compliance Assurance\nActing Assistant Administrator for Environmental Information\nActing Director, Technology and Information Security Staff\nAudit Followup Coordinator, Office of Enforcement and Compliance Assurance\nAudit Followup Coordinator, Technology and Information Security Staff\nAgency Followup Official (the CFO)\nAgency Followup Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nActing Inspector General\n\n\n\n\n                                            9\n\n\x0c'